The size of Twitter community has reached the level to become very interesting for the malware writers. We have written several times before about the SEO attacks which attempt to use Google search trends to create pages with the high PageRank containing malicious content or links to other pages containing malicious content.

Twitter seems to be using data mining to extract terms which are currently popular in the community. Making a new term popular in Twitter trends is a favourite pastime of many users. Only yesterday some of my friends tried to put Graham's Tetris clone game Blox into the top Twitter trends but they did not manage.

It seems that a significant number of users is required to promote an relatively unknown term to a top trend.

If you are a malware writer with an intention to poison Twitter trends, you don't really need to push new terms. You can simply follow all the current news and tweet about the most popular ones including the link to a malicious page. In the last couple of days a consistent campaign is attacking Twitter trends to seed a fake security tool Privacy center and the similar attack is possible for any other malware.

The attackers first need to setup a number of new Twitter accounts and in this attack they seem to be using variable number of characters concatenated with three numbers, presumably to avoid the user name collisions and to make creation of large number of accounts easier using a consistent naming scheme. Once the accounts are set, the attackers can simply follow the most common terms and add new malicious tweets which get displayed in the search page for the popular trends. A skilled attacker should be able to automate this process.

Today, the attackers seem to be concentrating on recent death of actor David Carradine, the Big Brother reality show, Britain's Got Talent singer Susan Boyle and bands Muse and Limp Bizkit.

The inserted malicious links point to one several URLs that redirect to malicious websites pretending to contain pornographic videos, looking very similar to YouTube. The sites contain several links and Javascript code to start download of an alleged codec installer which should enable the users to view the videos.

When the installer is launched it installs a fake security application Privacy center which appears to be scanning the system for various security issues. The user interface is well designed but as any fake security application, it displays false results regardless of the system state in an attempt to convince the user to buy the full version of the completely useless product. During the testing in the lab I have found no evidence that the program is actually checking any of the systems areas.

The 140 character limit of the Twitter message size has driven the adoption of URL shortening services such as tinyurl.com and bit.ly. They provide a great way for attackers to conceal the actual, malicious URLs so they are extensively used by malware gangs and spammers. I have a feeling that the URL shortening services will have to invest some time into securing their redirection services to ensure that no malicious URLs can be included.

It is, however, more likely that Twitter will have to increase their security efforts and invest more resources into securing the community, which may have to include limited choice of URL shortening sites and extensive checking of submitted URLs before they are allowed into the system, Twitter search results and Twitter trends.

Sophos Web Security Appliance is blocking malicious domains used in this attack and other Sophos products are proactively detecting the components of Privacy center as Mal/FakeAV-AV.

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.